apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: ingressnginxcontrollers.deckhouse.io
  labels:
    heritage: deckhouse
    module: ingress-nginx
spec:
  group: deckhouse.io
  scope: Cluster
  names:
    plural: ingressnginxcontrollers
    singular: ingressnginxcontroller
    kind: IngressNginxController
  preserveUnknownFields: false
  versions:
    - name: v1alpha1
      served: true
      storage: false
      schema:
        openAPIV3Schema:
          type: object
          required: ['spec']
          properties:
            spec:
              type: object
              required: ['inlet']
              properties:
                ingressClass:
                  type: string
                  description: |
                    The name of the Ingress class to use with the NGINX Ingress controller.

                    Using this option, you can create several controllers to use with a single ingress

                    **Caution!** If you set it to "nginx", then Ingress resources lacking the `kubernetes.io/ingress.class` annotation or `spec.ingressClassName` field will also be handled.
                  x-doc-examples: ['nginx']
                  default: 'nginx'
                  pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
                inlet:
                  type: string
                  description: |
                    The way traffic from the external network is routed to the cluster. Once you have set the method, you cannot change it later.
                    * `LoadBalancer` — Ingress controller is deployed and the service of `LoadBalancer` type is provisioned.
                    * `LoadBalancerWithProxyProtocol` — Ingress controller is deployed and the service of `LoadBalancer` type is provisioned. Ingress controller uses proxy-protocol to get a real IP of the client.
                    * `HostPort` — Ingress controller is deployed and available through nodes' ports via `hostPort`;

                      Settings are required in [spec.HostPort](#ingressnginxcontroller-v1-spec-hostport).
                    * `HostPortWithProxyProtocol` — Ingress controller is deployed and available through nodes' ports via `hostPort, it uses proxy-protocol to get a real IP of the client;

                      Settings are required in [spec.HostPortWithProxyProtocol](#ingressnginxcontroller-v1-spec-hostportwithproxyprotocol).

                      **Caution!** Make sure that requests to the Ingress are sent from trusted sources when using this inlet. The [acceptRequestsFrom](cr.html#ingressnginxcontroller-v1-spec-acceptrequestsfrom) parameter can help you with defining trusted sources.
                    * `HostWithFailover` — installs two ingress controllers, the primary and the backup one. The primary controller runs in a hostNetwork. If the pods of the primary controller are not available, the traffic is routed to the backup one;

                      **Caution!** There can be only one controller with this inlet type on a host.

                      **Caution!** The following ports must be available on the node: 80, 81, 443, 444, 10354, 10355.

                      **Caution!** To change inlet, remove the iptables rules and restart the `kube-proxy` pods or reboot the nodes hosting Ingress controllers.
                  enum: ["LoadBalancer","LoadBalancerWithProxyProtocol","HostPort","HostPortWithProxyProtocol", "HostWithFailover"]
                controllerVersion:
                  type: string
                  description: |
                    One of the supported NGINX Ingress controller versions.

                    **By default**: the version in the [module settings](configuration.html#parameters-defaultcontrollerversion) is used.
                  enum: ['1.6','1.9']
                enableIstioSidecar:
                  type: boolean
                  description: |
                    Attach annotations to the controller pods to automatically inject Istio sidecar containers.

                    After setting this parameter, the `sidecar.istio.io/inject: "true"` and `traffic.sidecar.istio.io/includeOutboundIPRanges: "<Service CIDR>"` annotations will be attached to the ingress-controller pods. During pod creation, the Istio's mutating webhook will add the sidecar to it. After that, the sidecar will catch the network traffic to Service CIDR.

                    To use this feature in your application, you must add these annotations to your Ingress resources:
                    * `nginx.ingress.kubernetes.io/service-upstream: "true"` — using this annotation, the ingress-controller sends requests to a single ClusterIP (from Service CIDR) while envoy load balances them. Istio sidecar containers only catching traffic directed to Service CIDR.
                    * `nginx.ingress.kubernetes.io/upstream-vhost: myservice.myns.svc` — using this annotation, the sidecar can identify the application service that serves requests.
                waitLoadBalancerOnTerminating:
                  x-kubernetes-int-or-string: true
                  type: integer
                  description: |
                    The number of seconds before the /healthz location will start to return a 500 code when the pod enters the Terminating state.
                    This parameter has default values:
                      - 0s - for HostWithFailover
                      - 60s - for HostPort and HostPortWithProxyProtocol
                      - 120s - for LoadBalancer and LoadBalancerWithProxyProtocol
                chaosMonkey:
                  type: boolean
                  default: false
                  description: |
                    The instrument for unexpected and random termination of ingress controller Pods in a systemic manner. Chaos Monkey tests the resilience of ingress controller.
                validationEnabled:
                  type: boolean
                  default: true
                  description: |
                    Enable ingress validation admission.
                annotationValidationEnabled:
                  type: boolean
                  default: false
                  description: |
                    Enables the annotation validation feature.

                    Requires a controller of 1.9 version.
                nodeSelector:
                  type: object
                  additionalProperties:
                    type: string
                  x-kubernetes-preserve-unknown-fields: true
                  description: |
                    The same as in the pods' `spec.nodeSelector` parameter in Kubernetes.

                    If the parameter is omitted or `false`, it will be determined [automatically](https://deckhouse.io/documentation/v1/#advanced-scheduling).

                    **Format**: the standard `nodeSelector` list. Instance pods inherit this field as is.
                tolerations:
                  type: array
                  description: |
                    [The same](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) as in the pods' `spec.tolerations` parameter in Kubernetes;

                    If the parameter is omitted or `false`, it will be determined [automatically](https://deckhouse.io/documentation/v1/#advanced-scheduling).

                    **Format**: the standard [toleration](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) list. Instance pods inherit this field as is.
                  items:
                    type: object
                    properties:
                      effect:
                        type: string
                        enum: ["NoSchedule","PreferNoSchedule","NoExecute"]
                      operator:
                        type: string
                        default: "Equal"
                        enum: ["Exists","Equal"]
                      key:
                        type: string
                      tolerationSeconds:
                        format: int64
                        type: integer
                      value:
                        type: string
                loadBalancer:
                  type: object
                  x-doc-required: false
                  description: |
                    A section of parameters of the `LoadBalancer` inlet.
                  properties:
                    sourceRanges:
                      type: array
                      description: |
                        IP ranges (CIDR) that are allowed to access the load balancer.

                        The cloud provider may not support this option or ignore it.                       .
                      items:
                        type: string
                        pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$'
                    annotations:
                      type: object
                      x-kubernetes-preserve-unknown-fields: true
                      description: |
                        Annotations to assign to the service for flexible configuration of the load balancer.

                        **Caution!** The module does not take into account the specifics of setting annotations in different clouds.
                        Note that you will need to recreate `IngressNginxController` (or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service.
                      additionalProperties:
                        type: string
                    behindL7Proxy:
                      type: boolean
                      description: |
                        Accepts all the incoming `X-Forwarded-*` headers and passes them to upstreams.

                        **Caution!** Make sure that requests to the Ingress are sent from trusted sources when using this option.
                    realIPHeader:
                      type: string
                      description: |
                        Sets the header field for identifying the originating IP address of a client.

                        This option works only if `behindL7Proxy` is enabled.
                      x-doc-examples: ['CF-Connecting-IP']
                      default: 'X-Forwarded-For'
                loadBalancerWithProxyProtocol:
                  type: object
                  x-doc-required: false
                  description: |
                    A section of parameters of the `LoadBalancerWithProxyProtocol` inlet.
                  properties:
                    sourceRanges:
                      type: array
                      description: |
                        IP ranges (CIDR) that are allowed to access the load balancer.

                        The cloud provider may not support this option or ignore it.                       .
                      items:
                        type: string
                        pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$'
                    annotations:
                      type: object
                      description: |
                        Annotations that will be passed to service with type load balancer to configure it.

                        **Caution!** The module does not take into account the specifics of setting annotations in different clouds.
                        Note that you will need to recreate `IngressNginxController` (or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service.
                      additionalProperties:
                        type: string
                      x-kubernetes-preserve-unknown-fields: true
                hostPort:
                  type: object
                  description: |
                    `HostPort` inlet settings.
                  anyOf:
                    - {required: ["httpPort"]}
                    - {required: ["httpsPort"]}
                  properties:
                    httpPort:
                      type: integer
                      description: |
                        Port for insecure HTTP connections.

                        If the parameter is not set, the connection over HTTP cannot be established.

                        This parameter is mandatory if `httpsPort` is not set.
                      x-doc-examples: ['80']
                    httpsPort:
                      type: integer
                      description: |
                        Port for secure HTTPS connections.

                        If the parameter is not set, the connection over HTTPS cannot be established.

                        This parameter is mandatory if `httpPort` is not set.
                      x-doc-examples: ['443']
                      x-kubernetes-validations:
                        - message: .spec.hostPort.httpsPort can't be 6443, it's reserved for kube-apiserver
                          rule: 'self != 6443'
                    behindL7Proxy:
                      type: boolean
                      description: |
                        Accepts all the incoming X-Forwarded-* headers and passes them to upstreams.

                        **Caution!** Make sure that requests to the ingress are sent from trusted sources when using this option. The `acceptRequestsFrom` parameter can help you with defining trusted sources.
                    realIPHeader:
                      type: string
                      description: |
                        Sets the header field for identifying the originating IP address of a client.

                        This option works only if `behindL7Proxy` is enabled.
                      default: 'X-Forwarded-For'
                      x-doc-examples: ['CF-Connecting-IP']
                hostPortWithProxyProtocol:
                  type: object
                  description: |
                    A section of parameters of the `HostPortWithProxyProtocol` inlet.
                  anyOf:
                    - {required: ['httpPort']}
                    - {required: ['httpsPort']}
                  properties:
                    httpPort:
                      type: integer
                      description: |
                        Port for insecure HTTP connections.

                        If the parameter is not set, the connection over HTTP cannot be established.

                        This parameter is mandatory if `httpsPort` is not set.
                      x-doc-examples: ['80']
                    httpsPort:
                      type: integer
                      description: |
                        Port for secure HTTPS connections.

                        If the parameter is not set, the connection over HTTPS cannot be established.

                        This parameter is mandatory if `httpPort` is not set.
                      x-doc-examples: ['443']
                      x-kubernetes-validations:
                        - message: .spec.hostPortWithProxyProtocol.httpsPort can't be 6443, it's reserved for kube-apiserver
                          rule: 'self != 6443'
                acceptRequestsFrom:
                  type: array
                  description: |
                    IP or CIDR that is allowed to access the Ingress controller.

                    Regardless of the inlet type, the source IP address gets always verified (the `original_address` field in logs) (the address that the connection was established from) and not the "address of the client" that can be passed in some inlets via headers or using the proxy protocol.

                    This parameter is implemented using the [map module](http://nginx.org/en/docs/http/ngx_http_map_module.html). If the source address is not in the list of allowed addresses, nginx closes the connection immediately using HTTP code 444.

                    By default, the connection to the controller can be made from any address.
                  items:
                    type: string
                    pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$'
                hsts:
                  type: boolean
                  description: |
                    Determines whether hsts is enabled ([read more...](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)).
                  default: false
                hstsOptions:
                  type: object
                  description: 'Options for HTTP Strict Transport Security.'
                  properties:
                    maxAge:
                      type: string
                      description: 'The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.'
                      pattern: '^[1-9][0-9]*$'
                      x-doc-examples: ["31536000"]
                      x-doc-default: "31536000"
                    preload:
                      type: boolean
                      description: 'Add your site to preload list to enforce to use SSL/TLS connections on your site.'
                      default: false
                    includeSubDomains:
                      type: boolean
                      description: 'If this optional parameter is specified, this rule applies to all of subdomains as well.'
                      default: false
                geoIP2:
                  type: object
                  description: 'Enable GeoIP2 databases.'
                  properties:
                    maxmindLicenseKey:
                      type: string
                      description: |
                        A license key to download the GeoIP2 database.

                        If the key is set, the module downloads the GeoIP2 database every time the controller is started. Click [here](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) to learn more about obtaining a license key.
                    maxmindEditionIDs:
                      type: array
                      description: |
                        A list of database editions to download at startup.

                        [More info...](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data)
                      default: ["GeoLite2-City", "GeoLite2-ASN"]
                      items:
                        type: string
                        enum:
                          - GeoIP2-Anonymous-IP
                          - GeoIP2-Country
                          - GeoIP2-City
                          - GeoIP2-Connection-Type
                          - GeoIP2-Domain
                          - GeoIP2-ISP
                          - GeoIP2-ASN
                          - GeoLite2-ASN
                          - GeoLite2-Country
                          - GeoLite2-City
                legacySSL:
                  type: boolean
                  description: |
                    Enable old TLS protocol versions and legacy cipher suites.

                    Also, this options enables legacy cipher suites to support legacy libraries and software: [OWASP Cipher String 'C' ](https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html). Learn more [here](https://github.com/deckhouse/deckhouse/blob/main/modules/402-ingress-nginx/templates/controller/configmap.yaml).

                    By default, only TLSv1.2 and the newest cipher suites are enabled.
                disableHTTP2:
                  type: boolean
                  description: |
                    Switch off HTTP2 support.
                  default: false
                config:
                  type: object
                  x-kubernetes-preserve-unknown-fields: true
                  description: |
                    The section with the Ingress controller parameters.

                    You can specify [any supported parameter](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/) in it in the `key: value (string)` format.

                    **Caution!** An erroneous option may lead to the failure of the ingress controller;

                    **Caution!** The usage of this parameter is not recommended; the backward compatibility or operability of the ingress controller that uses this option is not guaranteed
                additionalHeaders:
                  type: object
                  description: |
                    Additional headers to add to all request. (map: key (string)).
                  additionalProperties:
                    type: string
                  x-kubernetes-preserve-unknown-fields: true
                additionalLogFields:
                  type: object
                  description: |
                    Additional fields to add to nginx logs. (map: key (string)).
                  additionalProperties:
                    type: string
                  x-kubernetes-preserve-unknown-fields: true
                resourcesRequests:
                  required: ['mode']
                  type: object
                  description: |
                    Max amounts of CPU and memory resources that the pod can request when selecting a node (if the VPA is disabled, then these values become the default ones).
                  properties:
                    mode:
                      type: string
                      description: |
                        The mode for managing resource requests.
                      enum: ['VPA', 'Static']
                      default: 'VPA'
                    vpa:
                      type: object
                      description: |
                        Parameters of the vpa mode.
                      properties:
                        mode:
                          type: string
                          description: |
                            The VPA usage mode.
                          enum: ['Initial', 'Auto']
                          default: 'Initial'
                        cpu:
                          type: object
                          description: |
                            CPU-related parameters.
                          properties:
                            max:
                              description: |
                                Maximum allowed CPU requests.
                              default: '50m'
                              type: string
                            min:
                              description: |
                                Minimum allowed CPU requests.
                              default: '10m'
                              type: string
                        memory:
                          type: object
                          description: |
                            The amount of memory requested.
                          properties:
                            max:
                              description: |
                                Maximum allowed memory requests.
                              default: '200Mi'
                              type: string
                            min:
                              description: |
                                Minimum allowed memory requests.
                              default: '50Mi'
                              type: string
                    static:
                      type: object
                      description: |
                        Static mode settings.
                      properties:
                        cpu:
                          type: string
                          description: |
                            CPU requests.
                          default: '350m'
                        memory:
                          type: string
                          description: |
                            Memory requests.
                          default: '500Mi'
                customErrors:
                  type: object
                  description: |
                    The section with parameters of custom HTTP errors.

                    All parameters in this section are mandatory if it is defined. Changing any parameter **leads to the restart of all NGINX Ingress controllers**.
                  required: ['namespace', 'serviceName', 'codes']
                  properties:
                    serviceName:
                      type: string
                      description: |
                        Name of kubernetes service that leads to custom errors backend.
                      x-doc-examples: ['custom-errors-backend-service']
                    namespace:
                      type: string
                      description: |
                        Namespace of custom errors backend.
                      x-doc-examples: ['default']
                    codes:
                      type: array
                      description: |
                        Error codes which should be redirected to custom errors backend.
                      items:
                        type: string
                        name: 'Error code.'
                        pattern: '^[1-5][0-9][0-9]$'
                underscoresInHeaders:
                  type: boolean
                  description: |
                    Determines whether underscores are allowed in headers. Learn [more...](http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers).

                    [This tutorial](https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#missing-disappearing-http-headers) sheds light on why you should not enable it without careful consideration.
                  default: false
                minReplicas:
                  type: integer
                  description: |
                    LoadBalancer and LoadBalancerWithProxyProtocol controller's Horizontal Pod Autoscaler minimum replicas count.
                  default: 1
                  minimum: 1
                maxReplicas:
                  type: integer
                  description: |
                    LoadBalancer and LoadBalancerWithProxyProtocol controller's Horizontal Pod Autoscaler maximum replicas count.
                  default: 1
                  minimum: 1
                defaultSSLCertificate:
                  description: |
                    This certificate is used:
                    - for `catch-all` server requests (here, "catch-all server" refers to the nginx [server directive](http://nginx.org/en/docs/http/ngx_http_core_module.html#server)). Requests for which there is no corresponding Ingress resource end up on the `catch-all` server.
                    - for Ingress resources that do not have a `secretName` specified in the `tls` section.

                    By default, a self-signed certificate is used.

                    **Caution!** This parameter does not affect certificates used in the Ingress resources of the Deckhouse modules. You can specify the certificate to be used in the Ingress resources of the Deckhouse modules with the [modules.https.customCertificate](../../deckhouse-configure-global.html#parameters-modules-https-customcertificate) global parameter.
                  type: object
                  properties:
                    secretRef:
                      description: |
                        The Secret reference to pass to the Ingress Controller.
                      type: object
                      properties:
                        name:
                          description: |
                            Name of Secret containing SSL—certificate.
                          type: string
                          pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
                        namespace:
                          description: |
                            Namespace, where the Secret is located.
                          default: d8-ingress-nginx
                          type: string
                          pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
              oneOf:
                - properties:
                    inlet:
                      enum: ['LoadBalancer']
                    loadBalancer: {}
                - properties:
                    inlet:
                      enum: ['LoadBalancerWithProxyProtocol']
                    loadBalancerWithProxyProtocol: {}
                - properties:
                    inlet:
                      enum: ['HostPort']
                    hostPort: {}
                  required: ['hostPort']
                - properties:
                    inlet:
                      enum: ['HostPortWithProxyProtocol']
                    hostPortWithProxyProtocol: {}
                  required: ['hostPortWithProxyProtocol']
                - properties:
                    inlet:
                      enum: ['HostWithFailover']
                    hostWithFailover: {}
              x-kubernetes-validations:
                - message: .spec.controllerVersion should be explicitly set to 1.9 for .spec.annotationValidationEnabled to make effect
                  rule: 'self.annotationValidationEnabled == true ? self.controllerVersion == ''1.9'': true'
      additionalPrinterColumns:
        - jsonPath: .spec.ingressClass
          name: Ingress Class
          description: 'Name of served ingress class.'
          type: string
        - jsonPath: .spec.inlet
          name: Inlet
          description: 'The way traffic goes to current Ingress Controller from the outer network.'
          type: string
        - jsonPath: .spec.controllerVersion
          name: Controller Version
          description: 'Current NGINX Ingress Controller version.'
          type: string
    - name: v1
      served: true
      storage: true
      subresources:
        status: {}
      schema:
        openAPIV3Schema:
          type: object
          required: ['spec']
          properties:
            status:
              type: object
              properties:
                loadBalancer:
                  type: object
                  properties:
                    ip:
                      type: string
                      description: |
                        The IP address of the load balancer.
                    hostname:
                      type: string
                      description: |
                        The hostname of the LoadBalancer.
            spec:
              type: object
              required: ['inlet']
              properties:
                ingressClass:
                  type: string
                  description: |
                    The name of the Ingress class to use with the NGINX Ingress controller.

                    Using this option, you can create several controllers to use with a single ingress

                    **Caution!** If you set it to "nginx", then Ingress resources lacking the `kubernetes.io/ingress.class` annotation or `spec.ingressClassName` field will also be handled.
                  x-doc-examples: ['nginx']
                  default: 'nginx'
                  pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
                inlet:
                  type: string
                  description: |
                    The way traffic goes to cluster from the outer network.
                    * `LoadBalancer` — Ingress controller is deployed and the service of `LoadBalancer` type is provisioned.
                    * `LoadBalancerWithProxyProtocol` — Ingress controller is deployed and the service of `LoadBalancer` type is provisioned. Ingress controller uses proxy-protocol to get a real IP of the client.
                    * `HostPort` — Ingress controller is deployed and available through nodes' ports via `hostPort`.
                    * `HostPortWithProxyProtocol` — Ingress controller is deployed and available through nodes' ports via `hostPort, it uses proxy-protocol to get a real IP of the client.

                      **Caution!** Make sure that requests to the Ingress are sent from trusted sources when using this inlet. The `acceptRequestsFrom` parameter can help you with defining trusted sources.
                    * `HostWithFailover` — installs two ingress controllers, the primary and the backup one. The primary controller runs in a hostNetwork. If the pods of the primary controller are not available, the traffic is routed to the backup one;

                      **Caution!** There can be only one controller with this inlet type on a host.

                      **Caution!** The following ports must be available on the node: 80, 81, 443, 444, 10354, 10355.
                  enum: ["LoadBalancer","LoadBalancerWithProxyProtocol","HostPort","HostPortWithProxyProtocol", "HostWithFailover"]
                controllerVersion:
                  type: string
                  description: |
                    One of the supported NGINX Ingress controller versions.

                    **By default**: the version in the [module settings](configuration.html#parameters-defaultcontrollerversion) is used.
                  enum: ['1.6','1.9']
                enableIstioSidecar:
                  type: boolean
                  description: |
                    Attach annotations to the controller pods to automatically inject Istio sidecar containers.

                    After setting this parameter, the `sidecar.istio.io/inject: "true"` and `traffic.sidecar.istio.io/includeOutboundIPRanges: "<Service CIDR>"` annotations will be attached to the ingress-controller pods. During pod creation, the Istio's mutating webhook will add the sidecar to it. After that, the sidecar will catch the network traffic to Service CIDR.

                    To use this feature in your application, you must add these annotations to your Ingress resources:
                    * `nginx.ingress.kubernetes.io/service-upstream: "true"` — using this annotation, the ingress-controller sends requests to a single ClusterIP (from Service CIDR) while envoy load balances them. Istio sidecar containers only catching traffic directed to Service CIDR.
                    * `nginx.ingress.kubernetes.io/upstream-vhost: myservice.myns.svc` — using this annotation, the sidecar can identify the application service that serves requests.
                waitLoadBalancerOnTerminating:
                  x-kubernetes-int-or-string: true
                  type: integer
                  description: |
                    The number of seconds before the /healthz location will start to return a 500 code when the pod enters the Terminating state.
                    This parameter has default values:
                      - 0s - for HostWithFailover
                      - 60s - for HostPort and HostPortWithProxyProtocol
                      - 120s - for LoadBalancer and LoadBalancerWithProxyProtocol
                chaosMonkey:
                  type: boolean
                  default: false
                  description: |
                    The instrument for unexpected and random termination of ingress controller Pods in a systemic manner. Chaos Monkey tests the resilience of ingress controller.
                validationEnabled:
                  type: boolean
                  default: true
                  description: |
                    Enable ingress validation admission.
                annotationValidationEnabled:
                  type: boolean
                  default: false
                  description: |
                    Enables the annotation validation feature.

                    Requires a controller of 1.9 version.
                nodeSelector:
                  type: object
                  additionalProperties:
                    type: string
                  x-kubernetes-preserve-unknown-fields: true
                  description: |
                    The same as in the pods' `spec.nodeSelector` parameter in Kubernetes.

                    If the parameter is omitted or `false`, it will be determined [automatically](https://deckhouse.io/documentation/v1/#advanced-scheduling).

                    **Format**: the standard `nodeSelector` list. Instance pods inherit this field as is.
                tolerations:
                  type: array
                  description: |
                    [The same](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) as in the pods' `spec.tolerations` parameter in Kubernetes;

                    If the parameter is omitted or `false`, it will be determined [automatically](https://deckhouse.io/documentation/v1/#advanced-scheduling).

                    **Format**: the standard [toleration](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) list. Instance pods inherit this field as is.
                  items:
                    type: object
                    properties:
                      effect:
                        type: string
                        enum: ["NoSchedule","PreferNoSchedule","NoExecute"]
                      operator:
                        type: string
                        default: "Equal"
                        enum: ["Exists","Equal"]
                      key:
                        type: string
                      tolerationSeconds:
                        format: int64
                        type: integer
                      value:
                        type: string
                loadBalancer:
                  type: object
                  x-doc-required: false
                  description: |
                    A section of parameters of the `LoadBalancer` inlet.
                  properties:
                    sourceRanges:
                      type: array
                      description: |
                        IP ranges (CIDR) that are allowed to access the load balancer.

                        The cloud provider may not support this option or ignore it.                       .
                      items:
                        type: string
                        pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$'
                    annotations:
                      type: object
                      x-kubernetes-preserve-unknown-fields: true
                      description: |
                        Annotations to assign to the service for flexible configuration of the load balancer.

                        **Caution!** The module does not take into account the specifics of setting annotations in different clouds.
                        Note that you will need to recreate `IngressNginxController` (or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service.
                      additionalProperties:
                        type: string
                    behindL7Proxy:
                      type: boolean
                      description: |
                        Accepts all the incoming `X-Forwarded-*` headers and passes them to upstreams.

                        **Caution!** Make sure that requests to the Ingress are sent from trusted sources when using this option.
                    realIPHeader:
                      type: string
                      description: |
                        Sets the header field for identifying the originating IP address of a client.

                        This option works only if `behindL7Proxy` is enabled.
                      x-doc-examples: ['CF-Connecting-IP']
                      default: 'X-Forwarded-For'
                loadBalancerWithProxyProtocol:
                  type: object
                  x-doc-required: false
                  description: |
                    A section of parameters of the `LoadBalancerWithProxyProtocol` inlet.
                  properties:
                    sourceRanges:
                      type: array
                      description: |
                        IP ranges (CIDR) that are allowed to access the load balancer.

                        The cloud provider may not support this option or ignore it.                       .
                      items:
                        type: string
                        pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$'
                    annotations:
                      type: object
                      description: |
                        Annotations that will be passed to service with type load balancer to configure it.

                        **Caution!** The module does not take into account the specifics of setting annotations in different clouds.
                        Note that you will need to recreate `IngressNginxController` (or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service.
                      additionalProperties:
                        type: string
                      x-kubernetes-preserve-unknown-fields: true
                hostPort:
                  type: object
                  description: |
                    `HostPort` inlet settings.
                  anyOf:
                    - {required: ["httpPort"]}
                    - {required: ["httpsPort"]}
                  properties:
                    httpPort:
                      type: integer
                      description: |
                        Port for insecure HTTP connections.

                        If the parameter is not set, the connection over HTTP cannot be established.

                        This parameter is mandatory if `httpsPort` is not set.
                      x-doc-examples: ['80']
                    httpsPort:
                      type: integer
                      description: |
                        Port for secure HTTPS connections.

                        If the parameter is not set, the connection over HTTPS cannot be established.

                        This parameter is mandatory if `httpPort` is not set.
                      x-doc-examples: ['443']
                      x-kubernetes-validations:
                        - message: .spec.hostPort.httpsPort can't be 6443, it's reserved for kube-apiserver
                          rule: 'self != 6443'
                    behindL7Proxy:
                      type: boolean
                      description: |
                        Accepts all the incoming X-Forwarded-* headers and passes them to upstreams.

                        **Caution!** Make sure that requests to the ingress are sent from trusted sources when using this option. The `acceptRequestsFrom` parameter can help you with defining trusted sources.
                    realIPHeader:
                      type: string
                      description: |
                        Sets the header field for identifying the originating IP address of a client.

                        This option works only if `behindL7Proxy` is enabled.
                      default: 'X-Forwarded-For'
                      x-doc-examples: ['CF-Connecting-IP']
                hostPortWithProxyProtocol:
                  type: object
                  description: |
                    A section of parameters of the `HostPortWithProxyProtocol` inlet.
                  anyOf:
                    - {required: ['httpPort']}
                    - {required: ['httpsPort']}
                  properties:
                    httpPort:
                      type: integer
                      description: |
                        Port for insecure HTTP connections.

                        If the parameter is not set, the connection over HTTP cannot be established.

                        This parameter is mandatory if `httpsPort` is not set.
                      x-doc-examples: ['80']
                    httpsPort:
                      type: integer
                      description: |
                        Port for secure HTTPS connections.

                        If the parameter is not set, the connection over HTTPS cannot be established.

                        This parameter is mandatory if `httpPort` is not set.
                      x-doc-examples: ['443']
                      x-kubernetes-validations:
                        - message: .spec.hostPortWithProxyProtocol.httpsPort can't be 6443, it's reserved for kube-apiserver
                          rule: 'self != 6443'
                acceptRequestsFrom:
                  type: array
                  description: |
                    IP or CIDR that is allowed to access the Ingress controller.

                    Regardless of the inlet type, the source IP address gets always verified (the `original_address` field in logs) (the address that the connection was established from) and not the "address of the client" that can be passed in some inlets via headers or using the proxy protocol.

                    This parameter is implemented using the [map module](http://nginx.org/en/docs/http/ngx_http_map_module.html). If the source address is not in the list of allowed addresses, nginx closes the connection immediately using HTTP code 444.

                    By default, the connection to the controller can be made from any address.
                  items:
                    type: string
                    pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$'
                hsts:
                  type: boolean
                  description: |
                    Determines whether hsts is enabled ([read more...](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)).
                  default: false
                hstsOptions:
                  type: object
                  description: 'Options for HTTP Strict Transport Security.'
                  properties:
                    maxAge:
                      type: string
                      description: 'The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.'
                      pattern: '^[1-9][0-9]*$'
                      x-doc-examples: ["31536000"]
                      x-doc-default: "31536000"
                    preload:
                      type: boolean
                      description: 'Add your site to preload list to enforce to use SSL/TLS connections on your site.'
                      default: false
                    includeSubDomains:
                      type: boolean
                      description: 'If this optional parameter is specified, this rule applies to all of subdomains as well.'
                      default: false
                geoIP2:
                  type: object
                  description: 'Enable GeoIP2 databases.'
                  properties:
                    maxmindLicenseKey:
                      type: string
                      description: |
                        A license key to download the GeoIP2 database.

                        If the key is set, the module downloads the GeoIP2 database every time the controller is started. Click [here](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) to learn more about obtaining a license key.
                    maxmindEditionIDs:
                      type: array
                      description: |
                        A list of database editions to download at startup.

                        [More info...](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data)
                      default: ["GeoLite2-City", "GeoLite2-ASN"]
                      items:
                        type: string
                        enum:
                          - GeoIP2-Anonymous-IP
                          - GeoIP2-Country
                          - GeoIP2-City
                          - GeoIP2-Connection-Type
                          - GeoIP2-Domain
                          - GeoIP2-ISP
                          - GeoIP2-ASN
                          - GeoLite2-ASN
                          - GeoLite2-Country
                          - GeoLite2-City
                legacySSL:
                  type: boolean
                  description: |
                    Enable old TLS protocol versions and legacy cipher suites.

                    Also, this options enables legacy cipher suites to support legacy libraries and software: [OWASP Cipher String 'C' ](https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html). Learn more [here](https://github.com/deckhouse/deckhouse/blob/main/modules/402-ingress-nginx/templates/controller/configmap.yaml).

                    By default, only TLSv1.2 and the newest cipher suites are enabled.
                disableHTTP2:
                  type: boolean
                  description: |
                    Switch off HTTP2 support.
                  default: false
                config:
                  type: object
                  x-kubernetes-preserve-unknown-fields: true
                  description: |
                    The section with the Ingress controller parameters.

                    You can specify [any supported parameter](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/) in it in the `key: value (string)` format.

                    **Caution!** An erroneous option may lead to the failure of the ingress controller;

                    **Caution!** The usage of this parameter is not recommended; the backward compatibility or operability of the ingress controller that uses this option is not guaranteed
                additionalHeaders:
                  type: object
                  description: |
                    Additional headers to add to all request. (map: key (string)).
                  additionalProperties:
                    type: string
                  x-kubernetes-preserve-unknown-fields: true
                additionalLogFields:
                  type: object
                  description: |
                    Additional fields to add to nginx logs. (map: key (string)).
                  additionalProperties:
                    type: string
                  x-kubernetes-preserve-unknown-fields: true
                resourcesRequests:
                  required: ['mode']
                  type: object
                  description: |
                    Max amounts of CPU and memory resources that the pod can request when selecting a node (if the VPA is disabled, then these values become the default ones).
                  properties:
                    mode:
                      type: string
                      description: |
                        The mode for managing resource requests.
                      enum: ['VPA', 'Static']
                      default: 'VPA'
                    vpa:
                      type: object
                      description: |
                        Parameters of the vpa mode.
                      properties:
                        mode:
                          type: string
                          description: |
                            The VPA usage mode.
                          enum: ['Initial', 'Auto']
                          default: 'Initial'
                        cpu:
                          type: object
                          description: |
                            CPU-related parameters.
                          properties:
                            max:
                              description: |
                                Maximum allowed CPU requests.
                              default: '50m'
                              type: string
                            min:
                              description: |
                                Minimum allowed CPU requests.
                              default: '10m'
                              type: string
                        memory:
                          type: object
                          description: |
                            The amount of memory requested.
                          properties:
                            max:
                              description: |
                                Maximum allowed memory requests.
                              default: '200Mi'
                              type: string
                            min:
                              description: |
                                Minimum allowed memory requests.
                              default: '50Mi'
                              type: string
                    static:
                      type: object
                      description: |
                        Static mode settings.
                      properties:
                        cpu:
                          type: string
                          description: |
                            CPU requests.
                          default: '350m'
                        memory:
                          type: string
                          description: |
                            Memory requests.
                          default: '500Mi'
                customErrors:
                  type: object
                  description: |
                    The section with parameters of custom HTTP errors.

                    All parameters in this section are mandatory if it is defined. Changing any parameter **leads to the restart of all NGINX Ingress controllers**.
                  required: ['namespace', 'serviceName', 'codes']
                  properties:
                    serviceName:
                      type: string
                      description: |
                        Name of kubernetes service that leads to custom errors backend.
                      x-doc-examples: ['custom-errors-backend-service']
                    namespace:
                      type: string
                      description: |
                        Namespace of custom errors backend.
                      x-doc-examples: ['default']
                    codes:
                      type: array
                      description: |
                        Error codes which should be redirected to custom errors backend.
                      items:
                        type: string
                        name: 'Error code.'
                        pattern: '^[1-5][0-9][0-9]$'
                underscoresInHeaders:
                  type: boolean
                  description: |
                    Determines whether underscores are allowed in headers. Learn [more...](http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers).

                    [This tutorial](https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#missing-disappearing-http-headers) sheds light on why you should not enable it without careful consideration.
                  default: false
                minReplicas:
                  type: integer
                  description: |
                    LoadBalancer and LoadBalancerWithProxyProtocol controller's Horizontal Pod Autoscaler minimum replicas count.
                  default: 1
                  minimum: 1
                maxReplicas:
                  type: integer
                  description: |
                    LoadBalancer and LoadBalancerWithProxyProtocol controller's Horizontal Pod Autoscaler maximum replicas count.
                  default: 1
                  minimum: 1
                defaultSSLCertificate:
                  description: |
                    This certificate is used:
                    - for `catch-all` server requests (here, "catch-all server" refers to the nginx [server directive](http://nginx.org/en/docs/http/ngx_http_core_module.html#server)). Requests for which there is no corresponding Ingress resource end up on the `catch-all` server.
                    - for Ingress resources that do not have a `secretName` specified in the `tls` section.

                    By default, a self-signed certificate is used.

                    **Caution!** This parameter does not affect certificates used in the Ingress resources of the Deckhouse modules. You can specify the certificate to be used in the Ingress resources of the Deckhouse modules with the [modules.https.customCertificate](../../deckhouse-configure-global.html#parameters-modules-https-customcertificate) global parameter.
                  type: object
                  properties:
                    secretRef:
                      description: |
                        The Secret reference to pass to the Ingress Controller.
                      type: object
                      properties:
                        name:
                          description: |
                            Name of Secret containing SSL—certificate.
                          type: string
                          pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
                        namespace:
                          description: |
                            Namespace, where the Secret is located.
                          default: d8-ingress-nginx
                          type: string
                          pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
              oneOf:
                - properties:
                    inlet:
                      enum: ['LoadBalancer']
                    loadBalancer: {}
                - properties:
                    inlet:
                      enum: ['LoadBalancerWithProxyProtocol']
                    loadBalancerWithProxyProtocol: {}
                - properties:
                    inlet:
                      enum: ['HostPort']
                    hostPort: {}
                  required: ['hostPort']
                - properties:
                    inlet:
                      enum: ['HostPortWithProxyProtocol']
                    hostPortWithProxyProtocol: {}
                  required: ['hostPortWithProxyProtocol']
                - properties:
                    inlet:
                      enum: ['HostWithFailover']
                    hostWithFailover: {}
              x-kubernetes-validations:
                - message: .spec.controllerVersion should be explicitly set to 1.9 for .spec.annotationValidationEnabled to make effect
                  rule: 'self.annotationValidationEnabled == true ? self.controllerVersion == ''1.9'': true'
      additionalPrinterColumns:
        - jsonPath: .spec.ingressClass
          name: Ingress Class
          description: 'Name of served ingress class.'
          type: string
        - jsonPath: .spec.inlet
          name: Inlet
          description: 'The way traffic goes to current Ingress Controller from the outer network.'
          type: string
        - jsonPath: .spec.controllerVersion
          name: Controller Version
          description: 'Current NGINX Ingress Controller version.'
          type: string
        - jsonPath: .status.loadBalancer.ip
          name: IP
          description: 'Current NGINX Ingress Controller LoadBalancer IP'
          type: string
        - jsonPath: .status.loadBalancer.hostname
          name: Hostname
          description: 'Current NGINX Ingress Controller LoadBalancer hostname'
          type: string
